At work, engineers are strongly encouraged to use an additional factor of authentication for SSH keys, rather than the traditional passwordless approach. While Yubikeys work well for this type of thing, I found that 1Password’s SSH support is actually much more ergonomic.

The way that 1Password’s SSH integration works is that you specify an IdentityAgent in your SSH config which is what tells Git and other tools how to access your SSH keys stored in 1Password. When you create an SSH key in 1Password, the file it creates on disk is simply a reference to the item in 1Password, so your private key is never stored on disk and can only be accessed through 1Password.

Configure the 1Password identity agent

To use 1Password for SSH, we first need to configure the identity agent. The agent will run in the background and trigger you to authenticate when pushing to GitHub.

• Open 1Password settings
• Click Developer in the sidebar
• Check “Use the SSH Agent”

Setup SSH key in 1Password

With the identity agent configured, we need to create a new SSH key in 1Password.

• Click “New Item”
• Click “Show more”
• Click “SSH Key”
• Click “Add Private Key”
• Click “Generate a New Key”
• Click “Generate”
• Click “Save”

Save your public key

Unlike traditional SSH key generation, 1Password will fully own the private key, so when we save the key to our ~/.ssh directory, we will be using the public key that 1Password uses to identify the private key.

In 1Password, click on the public key to copy it and run the following command:

pbpaste > ~/.ssh/id_ed25519.pub

Update your SSH config

Next, we need to update our SSH config to use the 1Password identity agent. This is what allows 1Password to use the public key to identify the private key and then authenticate with the server.